Experts Say It Will Take a Moonshot Commitment to Achieve Cybersecurity by 2028

Protecting cyberspace from attacks both foreign and domestic by 2028 requires a national “moonshot” commitment to rally support and educate our young people to create the necessary workforce to bolster our security, insisted speakers at the symposium, “Attacking the Roots of Cyber (In) Security: The Role of Education.” The Cyber Center for Education & Innovation (CCEI)–Home of the National Cryptologic Museum (NCM) conference was hosted by University of Maryland University College (UMUC) Nov. 8.

They used as their model John Kennedy’s call to action—to land a man on the moon before the end of the 1960s—that inspired the nation.

“The moonshot effort resulted in millions of kids signing up to be engineers, aspiring to be as great as the hundreds of thousands of heroes who put a handful of heroes on the surface of the moon and returned them safely,” said opening keynote speaker retired Army Gen. Dennis Via, who is now an executive vice president and Defense Fellow at Booz Allen Hamilton. “This is the kind of game-changing initiative we need today to attack the roots of cyber insecurity.”

But skeptics at the conference questioned whether the cause of cybersecurity could possibly inspire the same enthusiasm as the potential for a moon landing.

Retired Navy Adm. Betsy Hight, now vice president of Cybersecurity Practice at Hewlett-Packard, said the term “cybersecurity” itself creates a language barrier in describing the need for protection in the digital age.

“When President Kennedy said, let’s go land on the moon, we all knew what that meant,” Hight said. “We knew it would take a lot of discipline and we pulled all together. Do you think this term cybersecurity is a little daunting and misunderstood in such an endeavor?”

Via conceded that Hight was right.

“I am not certain how the term ‘cybersecurity’ resonates to an elementary school or a middle school student,” he said. “If you are speaking to parents, would they really know what you are talking about?”

Perhaps the answer is to start with talking up STEM education—with its focus on Science, Technology, Engineering and Mathematics disciplines—that already has become the buzz term of education, he said.

“Get them excited about this thing called STEM. That is the foundation to me,” he said. “That is what inspires them to light that spark to say this is something I want to do, and then encourage them as they go through elementary, middle and high school. As we talk to the young people here, we have to listen to what resonates with them.”

The symposium focused on a report issued by the Trump administration’s National Telecommunications Advisory Committee the week before the conference that called for a “Cybersecurity Moonshot.”

UMUC President Javier Miyares said the report notes the increasing reliance on the internet for everything we do, “and that [reliance] places each of us, along with our national security, at risk.” The report, he said, calls for the internet to be “safe and secure for the function of government and critical services for the American people by 2028.”

UMUC is proud that since 2010 its cyber programs have added more than 11,500 graduates to the workforce, while another 17,300 students are currently enrolled in those programs, he said.

“Equally important, the governor, the General Assembly, and the Maryland State Department of Education are all taking tangible steps to embed computer science and security concepts in curricula, starting in the early elementary grades,” he said.

In his remarks, Brit Kirwin, the University System of Maryland chancellor emeritus, noted a violation of a fundamental principle of economics—that a shortfall in the number of cyber experts coupled with an industry willing to pay top dollar for talent, should have produced a greater flow of talent to fill the gap. Yet the gap just keeps getting bigger.

Perhaps, he said, there is a more fundamental issue. “The rate of change in the cyber infrastructure, which is phenomenal, is so great that we simply can never have the size and quality of the workforce needed to make our nation cyber secure.”

Candy Alexander, president of the International Board of the Information Systems Security Association, said the industry is constantly impatient with the graduates coming into the workforce, saying they are not hitting the ground running. Business has to be reminded, she said, that it has a responsibility to continually invest in employee education because technology is changing so quickly.

George Washington University professor Diane Burley echoed Adm. Hight’s concerns that students even at the college level don’t know what cybersecurity is. It should be presented to them in ways that the students ask to be employed in it.

And still, she said, only 300 colleges and universities, out of 4,500 nationwide have been designated by the National Security Administration to have the curricula and guidelines to teach cybersecurity.

Featured speaker Education Week staff writer Ben Herold discussed findings from the Education Week Research Center/Consortium for School Networking Survey

And if all of the college students needed for cybersecurity jobs were to suddenly seek to learn it, finding enough professors to teach them would be difficult, Burley said, adding that industry needs to provide employees to teach students, and that would help students make the connection between what they are learning and what they will be doing.

But Mary Ann Davidson, the chief security officer for Oracle, said perhaps the approach to cybersecurity is backward. She gave the analogy of the story of the Dutch boy and the dike. He saw a leak and put his finger in it and saved the town.

“We keep thinking if we had enough Dutch boys with enough fingers, we could solve this problem,” she said. But there never will be enough Dutch boys to plug all of the security leaks. “The problem is we have to redesign the dike.”

Computer programs are not designed to be secure, Davidson said. Until that is turned around to reduce the number of leaks, “we will continue to build unsafe systems that will outstrip the number of cybersecurity people to fix it.”

Cindy Widick, the National Security Agency ’s chief of Cybersecurity Operations, talked about the “talent war” for personnel who can protect the internet from a growing threat from international adversaries as well as criminals. The moonshot analysis is a good one, she said.

“I think back to the Apollo program,” Widick said. “I remember the excitement. I remember it being a national rallying goal. When I think of a moon shot, I think of something that is going to be hard, challenging something that is going to require commitment over time. I think of it as achieving a goal that is worth it as well as something that taps into the human aspiration to be the best at something.”

Still, the gap between visualizing a moon shot and understanding the abstraction of cybersecurity is a challenge that must be overcome, said M.J. Bishop, the Inaugural Director of the University of Maryland’s Center for Academic Innovation.

The profession doesn’t even have a name, she said. Cybersecurityist?

“The very group we are trying to address, middle schoolers, who we need to get to think about STEM careers, can’t think abstractly,” Bishop said. “You can visualize a moon shot; you can’t visualize cybersecurity. They just gloss over it and move on to the next thing.”